diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md index 384ec1f2c0b1b..0b3352e41aeb2 100644 --- a/content/en/docs/reference/access-authn-authz/authorization.md +++ b/content/en/docs/reference/access-authn-authz/authorization.md @@ -155,41 +155,14 @@ is reachable from the public internet. ### Authorization mode configuration {#choice-of-authz-config} You can configure the Kubernetes API server's authorizer chain using either -[command line arguments](#using-flags-for-your-authorization-module) only or, as a beta feature, -using a [configuration file](#using-configuration-file-for-authorization). +a [configuration file](#using-configuration-file-for-authorization) only or +[command line arguments](#using-flags-for-your-authorization-module). You have to pick one of the two configuration approaches; setting both `--authorization-config` path and configuring an authorization webhook using the `--authorization-mode` and `--authorization-webhook-*` command line arguments is not allowed. If you try this, the API server reports an error message during startup, then exits immediately. -### Command line authorization mode configuration {#using-flags-for-your-authorization-module} - -{{< feature-state state="stable" for_k8s_version="v1.8" >}} - -You can use the following modes: - -* `--authorization-mode=ABAC` (Attribute-based access control mode) -* `--authorization-mode=RBAC` (Role-based access control mode) -* `--authorization-mode=Node` (Node authorizer) -* `--authorization-mode=Webhook` (Webhook authorization mode) -* `--authorization-mode=AlwaysAllow` (always allows requests; carries [security risks](#warning-always-allow)) -* `--authorization-mode=AlwaysDeny` (always denies requests) - -You can choose more than one authorization mode; for example: -`--authorization-mode=Node,RBAC,Webhook` - -Kubernetes checks authorization modules based on the order that you specify them -on the API server's command line, so an earlier module has higher priority to allow -or deny a request. - -You cannot combine the `--authorization-mode` command line argument with the -`--authorization-config` command line argument used for -[configuring authorization using a local file](#using-configuration-file-for-authorization-mode). - -For more information on command line arguments to the API server, read the -[`kube-apiserver` reference](/docs/reference/command-line-tools-reference/kube-apiserver/). - @@ -337,6 +310,31 @@ A reload **must not** add or remove Node or RBAC authorizers (they can be reorde but cannot be added or removed). {{< /note >}} +### Command line authorization mode configuration {#using-flags-for-your-authorization-module} + +You can use the following modes: + +* `--authorization-mode=ABAC` (Attribute-based access control mode) +* `--authorization-mode=RBAC` (Role-based access control mode) +* `--authorization-mode=Node` (Node authorizer) +* `--authorization-mode=Webhook` (Webhook authorization mode) +* `--authorization-mode=AlwaysAllow` (always allows requests; carries [security risks](#warning-always-allow)) +* `--authorization-mode=AlwaysDeny` (always denies requests) + +You can choose more than one authorization mode; for example: +`--authorization-mode=Node,RBAC,Webhook` + +Kubernetes checks authorization modules based on the order that you specify them +on the API server's command line, so an earlier module has higher priority to allow +or deny a request. + +You cannot combine the `--authorization-mode` command line argument with the +`--authorization-config` command line argument used for +[configuring authorization using a local file](#using-configuration-file-for-authorization-mode). + +For more information on command line arguments to the API server, read the +[`kube-apiserver` reference](/docs/reference/command-line-tools-reference/kube-apiserver/). + ## Privilege escalation via workload creation or edits {#privilege-escalation-via-pod-creation} Users who can create/edit pods in a namespace, either directly or through an object that